Domain Squatting Detection

1. A system, comprising: a processor configured to: receive a set of new fully qualified domain names (FQDNs); analyze the set of new FQDNs to detect domain squatting by identifying a subset of the new FQDNs as candidate squatting domains; check whether a candidate squatting domain of the candidate squatting domains uses a same name server or a same autonomous system number (ASN) as a corresponding potential target domain; in response to a determination that the candidate squatting domain uses the same name server or the same ASN as the corresponding potential target domain, filter out the candidate squatting domain from the domain name registrant to obtain remaining candidate squatting domains; and distribute the remaining candidate squatting domains to a security device/service; and a memory coupled to the processor and configured to provide the processor with instructions.

2. The system of claim 1, wherein: the receiving of the set of new FQDNs comprises to: receive a set of newly registered domains (NRDs); and the analyzing of the set of new FQDNs to detect domain squatting by identifying the subset of the new FQDNs as candidate squatting domains comprises to: cluster the set of NRDs into lexically similar groups to obtain a plurality of NRD clusters; calculate distances from potential target domains to the plurality of NRD clusters; and identify a subset of NRDs having the closest distance to the potential target domains as candidate typosquatting domains.

3. The system of claim 2, wherein the subset of NRDs having the closest distance comprises: the subset of NRDs includes N NRDs that have the closest distance, N being an integer.

4. The system of claim 2, wherein the subset of NRDs having the closest distance comprises: NRDs that have a distance to a potential target domain less than or equal to a distance threshold.

5. The system of claim 1, wherein: the receiving of the set of new FQDNs comprises to: receive a set of newly registered domains (NRDs); and the analyzing of the set of new FQDNs to detect domain squatting by identifying the subset of the new FQDNs as candidate squatting domains comprises to: construct a trie for potential target domains; matching the set of NRDs against the trie to determine whether the set of NRDs matches the potential target domains; and in the event that a subset of NRDs matches the potential target domains, determine that the subset of matching NRDs are candidate combosquatting domains.

6. The system of claim 1, wherein: the receiving of the set of new FQDNs comprises to: receive a set of newly registered domains (NRDs); and the analyzing of the set of new FQDNs to detect domain squatting by identifying the subset of the new FQDNs as candidate squatting domains comprises to: convert one NRD of the set of NRDs into bits; compare the bits of the one NRD with bits of a potential target domain using an exclusive OR (XOR) to obtain comparison results; determine whether a single difference bit exists using the comparison results; and in response to a determination that the single difference bit exists, determine that the one NRD is a candidate bitsquatting domain.

7. The system of claim 1, wherein: the receiving of the set of new FQDNs comprises to: receive a set of newly registered domains (NRDs); and the analyzing of the set of new FQDNs to detect domain squatting by identifying the subset of the new FQDNs as candidate squatting domains comprises to: detect an NRD of the set of NRDs corresponds to an internationalized domain name (IDN); transform the IDN to a unicode domain name version using a converter; identify an international character in the unicode domain name version; substitute, using a lookup table, a corresponding homographic English character for the international character in the unicode domain name version to obtain a homographic domain name version; compare the homographic domain name version with a set of potential target domains; and in response to a determination that the homographic domain name version matches at least one potential target domain of the set of potential target domains, determine that the NRD is a candidate homograph-squatting domain.

8. The system of claim 1, wherein: the receiving of the set of new FQDNs comprises to: receive a set of newly observed hostnames (NOHs); and the analyzing of the set of new FQDNs to detect domain squatting by identifying a subset of the new FQDNs as candidate squatting domains comprises to: split an NOH of the set of NOHs into a plurality of first segments; split a potential target domain into a plurality of second segments; compare the plurality of first segments with the plurality of second segments; and in response to a determination that the plurality of first segments matches the plurality of second segments, determine that the NOH is a candidate levelsquatting domain.

9. The system of claim 8, wherein segments of the plurality of first segments and the plurality of second segments are separated by periods or dashes.

10. A method, comprising: receiving, using a processor, a set of new fully qualified domain names (FQDNs); analyzing, using the processor, the set of new FQDNs to detect domain squatting by identifying a subset of the new FQDNs as candidate squatting domains; checking whether a candidate squatting domain of the candidate squatting domains uses a same name server or a same autonomous system number (ASN) as a corresponding potential target domain; in response to a determination that the candidate squatting domain uses the same name server or the same ASN as the corresponding potential target domain, filtering out the candidate squatting domain from the domain name registrant to obtain remaining candidate squatting domains; and distributing, using the processor, the remaining candidate squatting domains to a security device/service.

11. The method of claim 10, wherein: the receiving of the set of new FQDNs comprises: receiving a set of newly registered domains (NRDs); and the analyzing of the set of new FQDNs to detect domain squatting by identifying the subset of the new FQDNs as candidate squatting domains comprises: clustering the set of NRDs into lexically similar groups to obtain a plurality of NRD clusters; calculating distances from potential target domains to the plurality of NRD clusters; and identifying a subset of NRDs having the closest distance to the potential target domains as candidate typosquatting domains.

12. The method of claim 11, wherein the subset of NRDs having the closest distance comprises: the subset of NRDs includes N NRDs that have the closest distance, N being an integer.

13. The method of claim 11, wherein the subset of NRDs having the closest distance comprises: NRDs that have a distance to a potential target domain less than or equal to a distance threshold.

14. The method of claim 10, wherein: the receiving of the set of new FQDNs comprises: receiving a set of newly registered domains (NRDs); and the analyzing of the set of new FQDNs to detect domain squatting by identifying the subset of the new FQDNs as candidate squatting domains comprises: constructing a trie for potential target domains; matching the set of NRDs against the trie to determine whether the set of NRDs matches the potential target domains; and in the event that a subset of NRDs matches the potential target domains, determining that the subset of matching NRDs are candidate combosquatting domains.

15. The method of claim 10, wherein: the receiving of the set of new FQDNs comprises: receiving a set of newly registered domains (NRDs); and the analyzing of the set of new FQDNs to detect domain squatting by identifying the subset of the new FQDNs as candidate squatting domains comprises: converting one NRD of the set of NRDs into bits; comparing the bits of the one NRD with bits of a potential target domain using an exclusive OR (XOR) to obtain comparison results; determining whether a single difference bit exists using the comparison results; and in response to a determination that the single difference bit exists, determining that the one NRD is a candidate bitsquatting domain.

16. The method of claim 10, wherein: the receiving of the set of new FQDNs comprises: receiving a set of newly registered domains (NRDs); and the analyzing of the set of new FQDNs to detect domain squatting by identifying the subset of the new FQDNs as candidate squatting domains comprises: detecting an NRD of the set of NRDs corresponds to an internationalized domain name (IDN); transforming the IDN to a unicode domain name version using a converter; identifying an international character in the unicode domain name version; substituting, using a lookup table, a corresponding homographic English character for the international character in the unicode domain name version to obtain a homographic domain name version; comparing the homographic domain name version with a set of potential target domains; and in response to a determination that the homographic domain name version matches at least one potential target domain of the set of potential target domains, determining that the NRD is a candidate homograph-squatting domain.

17. The method of claim 10, wherein: the receiving of the set of new FQDNs comprises: receiving a set of newly observed hostnames (NOHs); and the analyzing of the set of new FQDNs to detect domain squatting by identifying a subset of the new FQDNs as candidate squatting domains comprises: splitting an NOH of the set of NOHs into a plurality of first segments; splitting a potential target domain into a plurality of second segments; comparing the plurality of first segments with the plurality of second segments; and in response to a determination that the plurality of first segments matches the plurality of second segments, determining that the NOH is a candidate levelsquatting domain.

18. The method of claim 17, wherein segments of the plurality of first segments and the plurality of second segments are separated by periods or dashes.

19. A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: receiving a set of new fully qualified domain names (FQDNs); analyzing the set of new FQDNs to detect domain squatting by identifying a subset of the new FQDNs as candidate squatting domains; checking whether a candidate squatting domain of the candidate squatting domains uses a same name server or a same autonomous system number (ASN) as a corresponding potential target domain; in response to a determination that the candidate squatting domain uses the same name server or the same ASN as the corresponding potential target domain, filtering out the candidate squatting domain from the domain name registrant to obtain remaining candidate squatting domains; and distributing the remaining candidate squatting domains to a security device/service.